-by Covault- Senior Technical Analyst-

Get Your Business Back. 

GAs of July 31st, 2017 there is a new player on the malware scene. A sinister product devised by cyber criminals. This vicious malware is a derivative of the GLOBE3 and WannaCry virus family and is currently the most destructive malware. This small business busting malware has taken down hundreds in just 2 weeks of life. Our experts have already handled the aftermath of this software in Tampa, FL.

The Gryphon ransomware has quickly made a name for itself by being adaptive in it’s targeting of email users.  Gryphon is distributed via spam email containing infected attachments (Such as PDF’s or Word Docs) as well as deceptive links to malicious websites; masquerading as legitimate ones. Cyber-criminals blast out spam email that has forged ‘To’ and ‘From’ headers, tricking you into believing that it is from a legitimate company like DHL or FedEx, even one of your customer’s in a noted incident was dealt with locally. The email informs you that they tried to deliver a package to you but failed for some reason or, you double billed them -in the instance of being from one of your own customers. In all instances, there are subtitles that can clue you in on the email  being a hoax. In our local case, the “customer” used obscenities in the email that accused of the over-billed invoice. It was clearly abnormal for the customer to use such language. Nevertheless, the accounting dept. opened the PDF file and a JavaScript embedded in the file executed a payload… that’s all she wrote.

In the majority of cases, the emails claim to be notifications of a shipment you have made or, are subject to receive (Of which you were unaware was pending). Either way, you can’t resist being curious as to what the email is referring to. Our advice is: Wait until your delivery person asks you about it directly and DO NOT open the attached file (or click on a link embedded inside the email). As a result, your computer will surely be infected with the Gryphon ransomware.

Gryphon is a file-encrypting ransomware, which will encrypt the personal documents found on victim’s computer, appending an extension to the end of a file which resembles the following: [some-email@Address.com].gryphon I.e. [chines34@protonmail.ch].gryphon. The Gryphon ransomware then displays a message which offers to decrypt the data if a payment between $400 and $1600 in Bitcoins is made. Unfortunately, in many cases the files are not relinquished after payment.

The Gryphon Process:

When Gryphon ransomware infects a PC it has the ability to scan all the drive letters on the computer (INCLUDING MAPPED NETWORK DRIVES) for various targeted file types (Pretty much anything you would care about). After it finds the files, it uploads them to the attacker’s server concurrently, while the files are being uploaded to the attackers server, the files are encrypted “in place” and the original is wiped from memory. YES, THIS DOES MEAN THAT IF YOU ARE INFECTED…. YOUR FILES ARE IN THE HANDS OF THE ATTACKER ALREADY.  Once these files are encrypted, they will no longer able to be opened by your normal programs.

When Gryphon ransomware has finished encrypting the victim’s files, it will also display a !## DECRYPT FILES ##!.txt ransom note in every folder. This ransom note seen on the device typically has a due date for the victim to send the amount stated in the ransom note.

If the user decides not to pay the ransom note the gryphon ransomware will dump the access keys for all data encrypted on the device OR, increase the ransom amount. This means that all data and information is gone and your complete computer system is inoperable, until a factory reset is performed.

Covault has experience with many variations of ransom-ware and sponsors research into these malware variations to discover vulnerabilities within them; enabling the end user to recover their data or, mitigate losses. Stay tuned for case studies and research papers on current and future malware. It is possible one day, our team’s discovery may get you out of a bind.